The Privacy Guarantor sanctioned three Friulian local health authorities who, through the use of algorithms, had classified the patients in relation to the risk of having or not complications in the event of a Covid-19 infection.

The three Local Health Authorities had processed the data present in the company databases in order to activate appropriate initiative medicine interventions for the patients and to identify the most suitable diagnostic and therapeutic pathways in good time.

The object of the dispute

The investigation started from the report of a doctor who sent the Authority the resolution of the Regional Council of Friuli Venezia Giulia, n. 1737 of 20 November 2020 which asked General Practitioners (GPs) to validate, for the purpose of pro rata payment of part of the variable fee, “through the regional IT portal, a list of users/assisted individuals previously identified by the Healthcare Company, according to its own criteria, such as in conditions of complexity and comorbidity for the purpose of statistical stratification by filling in IT files in which to report personal bio-humoral data, therapies, status pathology, family addresses, living conditions/habits, etc.”.

Attached to the resolution was a “memorandum of understanding between the FVG Region and the trade union organizations of GPs for the regulation of relations for the two-year period 2020 -2021 and of the activities connected to the epidemiological emergency from Covid-19”. The report envisages, as the first objective, the “stratification, complexity and comorbidity at high risk of major complications for Covid-19 infections“, with respect to which in the “notes” section of the report, brief indications are provided on the preparation of the lists of patients to be submitted to the initiative medicine plans and on the methods by which they are downloaded, through the company Insiel, “from the portal of the continuity of care” and then made available to the health authorities.

The report reported that the resolution would require GPs to communicate their patients’ health data without the possibility for them to verify “if the Healthcare Company has previously given consent” to the processing of their personal data for the purpose of “statistical stratification”, also highlighting how this specific discipline provides for “the anonymous transmission of data for statistical or administrative purposes”.

The investigation

The Guarantor has launched an investigation asking the Friuli Venezia Giulia region for the legal basis of the data processing relating to the resolution in question, the methods for acquiring the informed consent of the patients if the processing, although aimed at pursuing treatment purposes, is not strictly necessary for this purpose, the description of the flows, the impact assessment carried out.

The region replied that the treatment was limited only to patients who had given specific consent to the communication of their data to their GP and that “the identification of assisted persons and their inclusion in the lists finds the legal basis in the generic consent provided by the interested party and relating to the visibility by the GP”.

In relation to the need to draw up an impact assessment, the Region stated that “no initiative medicine activity can, therefore, be identified in the activity described above and, consequently, no specific risk assessment activity is necessary primarily by the Region, which in any case never has access to personal data, but neither by the regional health authorities”.

The Region then specified that the stratification of patients took place using an algorithm of the Johns Hopkins ACG System which selects patients with RUB 4 and 5 classes “. The “RUBs (Resource Utilization Bands) are synthetic measures of the degree of care complexity of a population understood in terms of expected consumption of resources on a scale of 0 to 5. The necessary information was extracted from the regional data warehouse in which each Sanitaria is the Data Controller of the personal data of its clients.

The processed data was pseudonymized through the application of random numerical codes processed by the Regional Health Coordination Agency (ARCS) for the attribution “of the filters on the Rub 4 and 5 classes and on the presence of consent to view the health file” and made available to the Insiel company. This company, “In order to communicate the data to each GP in relation to their patients, he added the tax code, surname and name to the extraction and made the list of patients available on the regional application Portal of Continuity of Care”. The list consists of approximately 40,000 clients.

Outcome and penalty

At the end of the investigation, one for each ASL, the Authority ruled that the data of the assisted persons had been processed in the absence of a suitable regulatory basis, without providing the interested parties with all the necessary information (in particular on the methods and purposes of the processing) and without having previously carried out the impact assessment required by the EU Data Protection Regulation.

The Authority reiterated that the health service user profilingboth regional or national, determining an automated processing of personal data aimed at analyzing and predicting the evolution of the health situation of the individual patient and the possible correlation with other elements of clinical risk, can only be carried out in the presence of a suitable regulatory prerequisitein compliance with specific requirements and adequate guarantees for the rights and freedoms of the interested parties, lacking in the present case.

Having therefore ascertained the violations and assessed that in the specific case the operations, through the use of algorithms, had involved data on the health of a large number of patients, the Guarantor ordered each of the three companies to pay the fine of 55,000 euros and proceed with the deletion of the processed data.

Anyone wishing to learn more about the case which is very complex can read the press release from the Guarantor Who and find the details of each measure on this page.